Bug 18153 - Format string bug in ucd-snmp
Summary: Format string bug in ucd-snmp
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ucd-snmp
Version: 7.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-02 23:04 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-10-03 17:56:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Chris Evans 2000-10-02 23:04:39 UTC 
Not particularly severe for various reasons;
- I'm not sure if you ship with syslogging enabled by default
- Even if you did, it might not be exploitable
- And you don't listen on the snmp network port by default anyway.

Still,
If we look at
ucd-snmp-4.1.2/snmplib/snmp_logging.c: snmp_log_string():
...
#if HAVE_SYSLOG_H
  if (do_syslogging) {
    syslog(priority, string);
  }
#endif
...
That syslog() call is mising "%s" as a second argument. Classic format
string bug.
Probably best to patch for the next release, but I doubt it warrants an
update unless you _do_ enable syslogging by default.
Check it out and update this bug if syslogged is enabled by default.
Comment 1 Daniel Roesen 2000-10-03 17:56:13 UTC 
I think this is serious, even if default config is not exploitable.
Comment 2 Jeff Johnson 2000-10-12 15:22:08 UTC 
Fixed in ucd-snmp-4.1.2-9.
Note You need to log in before you can comment on or make changes to this bug.